sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-06 20:09:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix off-by-one and buffer underflow

Browse source 
- Prevent potential denial-of-service via syslog
- int -> unsigned char fixes

Approved by:	Maintainer
This commit is contained in:
Chris D. Faulhaber 2001-04-06 14:46:42 +00:00
parent 79c5636b98
commit 77f90805c8
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=40952
3 changed files with 99 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
net/ntp-devel/files/patch-ntp_control.c
View file

@ -1,24 +1,44 @@
--- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000 --- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001 +++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
@@ -1821,9 +1821,19 @@ @@ -1782,7 +1782,7 @@
* Delete leading commas and white space
*/
while (reqpt < reqend && (*reqpt == ',' ||
- isspace((int)*reqpt)))
+ isspace((unsigned char)*reqpt)))
reqpt++;
if (reqpt >= reqend)
return (0);
@@ -1805,7 +1805,8 @@
tp++;
}
if ((*tp == '\0') || (*tp == '=')) {
- while (cp < reqend && isspace((int)*cp))
+ while (cp < reqend &&
+ isspace((unsigned char)*cp))
cp++;
if (cp == reqend || *cp == ',') {
buf[0] = '\0';
@@ -1819,15 +1820,18 @@
cp++;
tp = buf;
while (cp < reqend && while (cp < reqend &&
isspace((int)*cp)) - isspace((int)*cp))
+ isspace((unsigned char)*cp))
cp++; cp++;
- while (cp < reqend && *cp != - while (cp < reqend && *cp !=
- ',') - ',')
+ while (cp < reqend && *cp != ',') { + while (cp < reqend && *cp != ',') {
*tp++ = *cp++; *tp++ = *cp++;
+ if (tp > buf + sizeof(buf)) { + if (tp >= buf + sizeof(buf))
+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port)
+);
+ return (0); + return (0);
+ }
+ } + }
if (cp < reqend) if (cp < reqend)
cp++; cp++;
*tp = '\0'; *tp = '\0';
- while (isspace((int)(*(tp-1))))
+ while (tp != buf &&
+ isspace((unsigned char)(*(tp-1))))
*(--tp) = '\0';
reqpt = cp;
*data = buf;

46
net/ntp-stable/files/patch-ntp_control.c
View file

@ -1,24 +1,44 @@
--- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000 --- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001 +++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
@@ -1821,9 +1821,19 @@ @@ -1782,7 +1782,7 @@
* Delete leading commas and white space
*/
while (reqpt < reqend && (*reqpt == ',' ||
- isspace((int)*reqpt)))
+ isspace((unsigned char)*reqpt)))
reqpt++;
if (reqpt >= reqend)
return (0);
@@ -1805,7 +1805,8 @@
tp++;
}
if ((*tp == '\0') || (*tp == '=')) {
- while (cp < reqend && isspace((int)*cp))
+ while (cp < reqend &&
+ isspace((unsigned char)*cp))
cp++;
if (cp == reqend || *cp == ',') {
buf[0] = '\0';
@@ -1819,15 +1820,18 @@
cp++;
tp = buf;
while (cp < reqend && while (cp < reqend &&
isspace((int)*cp)) - isspace((int)*cp))
+ isspace((unsigned char)*cp))
cp++; cp++;
- while (cp < reqend && *cp != - while (cp < reqend && *cp !=
- ',') - ',')
+ while (cp < reqend && *cp != ',') { + while (cp < reqend && *cp != ',') {
*tp++ = *cp++; *tp++ = *cp++;
+ if (tp > buf + sizeof(buf)) { + if (tp >= buf + sizeof(buf))
+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port)
+);
+ return (0); + return (0);
+ }
+ } + }
if (cp < reqend) if (cp < reqend)
cp++; cp++;
*tp = '\0'; *tp = '\0';
- while (isspace((int)(*(tp-1))))
+ while (tp != buf &&
+ isspace((unsigned char)(*(tp-1))))
*(--tp) = '\0';
reqpt = cp;
*data = buf;

46
net/ntp/files/patch-ntp_control.c
View file

@ -1,24 +1,44 @@
--- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000 --- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001 +++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
@@ -1821,9 +1821,19 @@ @@ -1782,7 +1782,7 @@
* Delete leading commas and white space
*/
while (reqpt < reqend && (*reqpt == ',' ||
- isspace((int)*reqpt)))
+ isspace((unsigned char)*reqpt)))
reqpt++;
if (reqpt >= reqend)
return (0);
@@ -1805,7 +1805,8 @@
tp++;
}
if ((*tp == '\0') || (*tp == '=')) {
- while (cp < reqend && isspace((int)*cp))
+ while (cp < reqend &&
+ isspace((unsigned char)*cp))
cp++;
if (cp == reqend || *cp == ',') {
buf[0] = '\0';
@@ -1819,15 +1820,18 @@
cp++;
tp = buf;
while (cp < reqend && while (cp < reqend &&
isspace((int)*cp)) - isspace((int)*cp))
+ isspace((unsigned char)*cp))
cp++; cp++;
- while (cp < reqend && *cp != - while (cp < reqend && *cp !=
- ',') - ',')
+ while (cp < reqend && *cp != ',') { + while (cp < reqend && *cp != ',') {
*tp++ = *cp++; *tp++ = *cp++;
+ if (tp > buf + sizeof(buf)) { + if (tp >= buf + sizeof(buf))
+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port)
+);
+ return (0); + return (0);
+ }
+ } + }
if (cp < reqend) if (cp < reqend)
cp++; cp++;
*tp = '\0'; *tp = '\0';
- while (isspace((int)(*(tp-1))))
+ while (tp != buf &&
+ isspace((unsigned char)(*(tp-1))))
*(--tp) = '\0';
reqpt = cp;
*data = buf;